STIGQter: STIG Summary: Windows 10 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 04 May 2021:

Caching of logon credentials must be limited.

DISA Rule

SV-220923r569187_rule

Vulnerability Number

V-220923

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

WN10-SO-000085

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

This is the default configuration for this setting (10 logons to cache).

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to "10" logons or less.

This setting only applies to domain-joined systems, however, it is configured by default on all systems.

Check Contents

This is the default configuration for this setting (10 logons to cache).

If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Value Name: CachedLogonsCount

Value Type: REG_SZ
Value: 10 (or less)

This setting only applies to domain-joined systems, however, it is configured by default on all systems.

Vulnerability Number

V-220923

Documentable

False

Rule Version

WN10-SO-000085

Severity Override Guidance

This is the default configuration for this setting (10 logons to cache).

If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Value Name: CachedLogonsCount

Value Type: REG_SZ
Value: 10 (or less)

This setting only applies to domain-joined systems, however, it is configured by default on all systems.

Check Content Reference

M

Target Key

4072

Comments